Legal claims defining the scope of protection. Each claim is shown in both the original legal language and a plain English translation.
1. A method to enable confidential communication among users who are members of a group, the method comprising: at a first device associated with a first user who is a member of the group: generating a first data block for an ordered list of data blocks representing a chronological account of group member updates to the group, the first data block including a timestamp of creation of the first data block, identity information of the first user, information specifying addition of at least a second user to be a member to the group, and information pointing to a location of encrypted content to be shared among members of the group, the encrypted content having been encrypted with a symmetric key of the first user, wherein each data block comprises an object signed with a private key at the device of the user that created the data block and includes attributes representing: a Uniform Resource Indicator (URI) of the user that created the data block, an array of group membership update operations, a timestamp for creation of the data block, and a hash of a preceding data block in the ordered list; generating a group key that includes a hash of the first data block; encrypting a key material portion of the group key using a multi-recipient encryption process that indicates at least the second user as a recipient; communicating the ordered list and the group key to a communication resource to which a device of the second user has access; and sending to the device of the second user the information pointing to the location of the encrypted content, and information pointing to the ordered list and the group key.
Confidential group communication system. This invention addresses the challenge of secure and ordered sharing of information and group membership updates within a defined group of users. The method involves a first device belonging to a first user. This device creates a first data block. This block is part of an ordered list that chronologically records updates to the group. The data block contains a creation timestamp, the identity of the first user, information about adding at least a second user to the group, and a pointer to encrypted content. This encrypted content is shared among group members and was encrypted by the first user using their symmetric key. Each data block is digitally signed by the creator's private key. It includes attributes such as the creator's URI, details of group membership changes, the creation timestamp, and a hash of the previous data block in the list. A group key is generated, which incorporates a hash of this first data block. A portion of this group key is then encrypted using a multi-recipient method, specifying the second user as a recipient. The ordered list of data blocks and the generated group key are sent to a communication resource accessible by the second user's device. Finally, the second user's device receives a pointer to the encrypted content, along with pointers to the ordered list and the group key.
2. The method of claim 1 , further comprising, at the device of the second user: generating a second data block to be appended to the order list, the second data block including a time stamp of creation of the second data block, a hash of the first data block in the ordered list, and information indicating additional of at least a third user as a new member to the group and/or information indicating removal of at least one user who is an existing member of the group; and sending the second data block to a device of the third user.
This invention relates to a method for managing group membership in a distributed system, particularly for securely updating and maintaining an ordered list of group members. The problem addressed is ensuring tamper-proof and verifiable updates to group membership, such as adding or removing users, while maintaining a cryptographically secure record of changes. The method involves generating a second data block to be appended to an existing ordered list of group members. This second data block includes a timestamp of its creation, a hash of the preceding data block in the list, and information specifying the addition of at least one new user to the group or the removal of an existing user. The second data block is then sent to the device of the new user, ensuring they are aware of their inclusion in the group. The use of hashing and timestamps ensures the integrity and chronological order of the membership updates, preventing unauthorized modifications. This approach is useful in decentralized systems where trustless verification of group changes is required, such as in blockchain-based applications or secure communication platforms.
3. The method of claim 2 , further comprising, at the device of the third user, validating the ordered list by: verifying signatures of each data block in the ordered list; verifying that each data block contains a valid hash of a preceding data block in the ordered list; and verifying that each data block in the ordered list was created and signed by a member of the group.
This invention relates to a method for validating an ordered list of data blocks in a distributed system, particularly in a group-based cryptographic environment. The problem addressed is ensuring the integrity and authenticity of data blocks in a shared ledger or similar structure, where multiple users contribute and must verify the consistency of the data. The method involves a device of a third user validating an ordered list of data blocks by performing several checks. First, the device verifies the digital signatures of each data block to confirm they were created and signed by an authorized member of the group. Second, it checks that each data block contains a valid cryptographic hash of the preceding data block, ensuring the sequence has not been tampered with. Third, it confirms that every data block in the list was generated and signed by a member of the group, maintaining the integrity of the shared data structure. This validation process ensures that the ordered list remains consistent, tamper-proof, and trustworthy among all participants. The method is particularly useful in decentralized systems where multiple parties contribute to a shared ledger, such as blockchain or distributed ledger technologies, where data integrity and authenticity are critical. The validation steps prevent unauthorized modifications and ensure that only valid, properly signed data blocks are accepted into the ordered list.
4. The method of claim 1 , wherein each data block comprises a JavaScript Object Notation (JSON) object.
A system and method for data processing involves organizing data into structured blocks, where each block contains a JavaScript Object Notation (JSON) object. JSON is a lightweight data interchange format that uses human-readable text to represent structured data, making it easy for machines to parse and generate. The use of JSON objects within data blocks enables efficient storage, transmission, and manipulation of hierarchical or nested data structures. This approach is particularly useful in applications requiring interoperability between different software systems, as JSON is widely supported across programming languages and platforms. The method ensures compatibility with web-based applications, APIs, and distributed systems by leveraging JSON's standardized format. Additionally, the structured nature of JSON objects allows for easy validation, serialization, and deserialization, reducing errors in data handling. The system may further include mechanisms for encrypting or compressing the JSON objects to enhance security and efficiency during transmission or storage. This method is applicable in various domains, including cloud computing, web services, and data analytics, where structured, portable, and machine-readable data formats are essential.
5. The method of claim 1 , wherein a group membership update operation is indicated in the object with a field containing a tag indicating an add operation or a remove operation, and a URI of an entity being added to the group or removed from the group.
This invention relates to group membership management in distributed systems, addressing the challenge of efficiently tracking and updating group memberships across multiple entities. The method involves using an object to represent a group membership update operation, where the object includes a field containing a tag that specifies whether the operation is an add or remove action. Additionally, the object includes a URI (Uniform Resource Identifier) that identifies the entity being added to or removed from the group. This approach ensures clear and unambiguous communication of group membership changes, enabling systems to process updates accurately and maintain consistent group state across distributed environments. The method supports dynamic group modifications, allowing entities to be added or removed as needed while preserving system integrity. By encoding the operation type and target entity in a structured format, the invention simplifies the handling of group membership updates, reducing complexity and potential errors in distributed systems. This solution is particularly useful in scenarios where groups of entities must be managed dynamically, such as in collaborative applications, access control systems, or distributed computing frameworks. The use of URIs ensures interoperability and flexibility, as entities can be referenced in a standardized manner.
6. The method of claim 1 , wherein the first data block in the ordered list includes a nonce and URI that uniquely identifies the communication resource.
This invention relates to data communication systems, specifically methods for organizing and identifying communication resources in a structured manner. The problem addressed is the need for a reliable way to uniquely identify and access communication resources within a system, ensuring data integrity and efficient retrieval. The method involves creating an ordered list of data blocks, where each block contains information related to a communication resource. The first data block in this list includes a nonce, which is a unique, randomly generated value, and a URI (Uniform Resource Identifier) that uniquely identifies the communication resource. The nonce ensures that each data block is distinct, preventing duplication or confusion, while the URI provides a standardized way to locate and access the resource. Subsequent data blocks in the list may contain additional information, such as metadata or payload data, further describing the communication resource. This approach enhances security and reliability by ensuring that each communication resource is uniquely identifiable and accessible. The use of a nonce and URI in the first data block provides a robust mechanism for distinguishing between different resources and maintaining data integrity. The ordered list structure allows for efficient organization and retrieval of the data blocks, improving overall system performance. This method is particularly useful in distributed systems, where multiple nodes may need to access and manage communication resources securely and efficiently.
7. The method of claim 2 , further comprising at a device of a fourth user: receiving from the device of the third user information for at least first and second ordered lists of data blocks that have in common the second data block but which first and second ordered lists have two different third data blocks subsequent to the second data block; and selecting between the two different third data blocks bashed on hash values of the two different third data blocks, respectively.
This invention relates to data synchronization and conflict resolution in distributed systems, particularly for resolving discrepancies in ordered lists of data blocks shared among multiple users. The problem addressed is ensuring consistency when different users modify the same data structure, leading to conflicting versions where the order of data blocks diverges after a common point. The method involves a device of a fourth user receiving information from a third user's device about at least two ordered lists of data blocks. These lists share a common second data block but differ in the subsequent third data blocks. The fourth user's device resolves the conflict by comparing hash values of the two conflicting third data blocks and selecting one based on these values. This ensures deterministic conflict resolution without manual intervention, maintaining data integrity across distributed systems. The method builds on a broader system where users can propose changes to shared data structures, and a central or distributed mechanism evaluates these changes to resolve conflicts. The hash-based selection ensures that the most recent or authoritative version is chosen, preventing data corruption due to conflicting updates. This approach is particularly useful in collaborative applications, version control systems, or distributed databases where multiple users may edit the same data concurrently.
8. The method of claim 7 , wherein selecting comprises selecting between the two different third data blocks based on which of the two different third data blocks has a numerically smallest hash value.
This invention relates to data processing systems that manage data blocks, particularly in distributed or storage systems where efficient selection and retrieval of data blocks is critical. The problem addressed is optimizing the selection of data blocks to improve performance, reduce redundancy, or enhance reliability in systems where multiple versions or copies of data blocks may exist. The method involves selecting between two different third data blocks, where each third data block is derived from a first data block and a second data block. The selection process is based on comparing the hash values of the two third data blocks. The block with the numerically smallest hash value is chosen. This approach ensures a deterministic and consistent selection mechanism, which is useful in scenarios where multiple data blocks may represent the same or similar information, such as in deduplication, version control, or distributed storage systems. The use of hash values provides a simple yet effective way to resolve conflicts or ambiguities in data block selection without requiring complex decision logic. The method may be part of a broader system for managing data blocks, where the first and second data blocks are processed to generate the third data blocks. The selection based on hash values ensures that the chosen third data block is consistently selected across different instances of the system, improving reliability and reducing inconsistencies. This technique is particularly valuable in environments where data integrity and performance are critical, such as cloud storage, backup systems, or distributed databases.
9. The method of claim 1 , further comprising, at the device of the second user: receiving the information pointing to the location of the encrypted content, the ordered list and the group key; determining that the first user is trusted based on the identity information of the first user; if it is determined that the first user is trusted, retrieving the ordered list and the group key using the information pointing to the ordered list and the group key; and verifying signatures of the first data block and the group key by discovering and retrieving a public key of the first user.
This invention relates to secure content sharing in a distributed system, addressing the challenge of verifying the authenticity and integrity of shared encrypted content. The method involves a second user's device receiving information that points to the location of encrypted content, an ordered list of data blocks, and a group key. The second user's device then checks whether the first user is trusted by evaluating the first user's identity information. If the first user is trusted, the second user's device retrieves the ordered list and the group key using the provided location information. The device then verifies the digital signatures of the first data block and the group key by obtaining and using the first user's public key. This ensures that the content and key are authentic and have not been tampered with. The ordered list defines the sequence of data blocks, allowing the second user to reconstruct the original content. The group key enables decryption of the encrypted content, while the verification process confirms the integrity and origin of the data. This method enhances security in distributed content sharing by ensuring that only trusted users can access and verify the shared information.
10. The method of claim 8 , further comprising, at the device of the second user: decrypting the key material portion of the group key using a private key of the second user; obtaining the encrypted content indicated by the information pointing to the location of the encrypted content in the first data block; and decrypting the encrypted content.
This invention relates to secure communication systems where multiple users share encrypted content using a group key. The problem addressed is ensuring that only authorized users can access and decrypt shared content while maintaining privacy and security. The method involves a first user encrypting content and generating a group key, which is divided into key material portions. Each key material portion is encrypted with a public key of a respective second user. The first user then creates a first data block containing the encrypted key material portions and information pointing to the location of the encrypted content. This data block is transmitted to the second user. At the second user's device, the encrypted key material portion is decrypted using the second user's private key. The device then retrieves the encrypted content based on the location information in the first data block and decrypts it using the decrypted key material. This ensures that only users with the correct private key can access the shared content, enhancing security in group communication systems. The method supports efficient key distribution and content sharing while maintaining confidentiality.
11. The method of claim 1 , generating the group key comprises encrypting the symmetric key of the first user with a private content key to produce an encrypted symmetric key, encrypting the encrypted symmetric key with each public key of the at least two other members of the group to produce a plurality of JavaScript Object Notation Web Encryption (JWE) encrypted keys.
This invention relates to secure group key distribution in cryptographic systems, addressing the challenge of efficiently sharing encryption keys among multiple users while maintaining privacy and security. The method involves generating a group key by first encrypting a symmetric key of a first user with a private content key, producing an encrypted symmetric key. This encrypted symmetric key is then further encrypted with the public keys of at least two other group members, resulting in multiple JavaScript Object Notation Web Encryption (JWE) encrypted keys. Each group member can decrypt their respective JWE encrypted key using their private key, ultimately obtaining the original symmetric key for secure communication. The approach ensures that only authorized group members can access the shared key, preventing unauthorized access while enabling efficient key distribution in group-based encryption scenarios. The use of JWE standardizes the encryption process, enhancing interoperability across different systems. This method is particularly useful in applications requiring secure group communication, such as messaging platforms, collaborative tools, or distributed systems where multiple parties need access to the same encryption key without compromising security.
12. An apparatus comprising: a network interface unit configured to enable communications over a network to enable confidential communication among members of a group by passing an ordered list of data blocks representing a chronological account of group member updates to the group; a processor coupled to the network interface unit, wherein the processor is configured to, on behalf of a first user who is a member of the group: generate a first data block for an ordered list of data blocks representing a chronological account of group member updates to the group, the first data block including a time stamp of creation of the first data block, identity information of the first user, information specifying addition of at least a second user to be a member to the group, and information pointing to a location of encrypted content to be shared among members of the group, the encrypted content having been encrypted with a symmetric key of the first user, wherein each data block comprises an object signed with a private key at the device of the user that created the data block and includes attributes representing: a Uniform Resource Indicator (URI) of the user that created the data block, an array of group membership update operations, a timestamp for creation of the data block, and a hash of a preceding data block in the ordered list; generate a group key that includes a hash of the first data block; encrypt a key material portion of the group key using a multi-recipient encryption process that indicates at least the second user as a recipient; communicate the ordered list and the group key to a communication resource to which a device of the second user has access; and send to the device of the second user the information pointing to the location of the encrypted content, and information pointing to the ordered list and the group key.
This invention relates to secure group communication systems, specifically enabling confidential sharing of encrypted content among group members. The problem addressed is the need for a tamper-proof, chronological record of group membership changes and shared content while ensuring only authorized members can access the encrypted data. The apparatus includes a network interface for group communication and a processor that manages an ordered list of data blocks representing group updates. Each data block contains a timestamp, user identity, group membership changes, and a pointer to encrypted content. The content is encrypted with a user's symmetric key. Each block is cryptographically signed by the creator's private key and includes a hash of the preceding block, ensuring integrity and chronological order. When a user adds a new member, the processor generates a new data block with the addition details and creates a group key by hashing the block. The group key's key material is encrypted using multi-recipient encryption, allowing only the new member to decrypt it. The ordered list, group key, and content location are then communicated to a shared resource accessible by the new member. The new member receives instructions to access the list, group key, and encrypted content, enabling secure decryption and participation in the group. This ensures only authorized members can access shared data while maintaining an immutable record of group changes.
13. The apparatus of claim 12 , wherein the processor is configured to generate the group key by encrypting the symmetric key of the first user with a private content key to produce an encrypted symmetric key, encrypting the encrypted symmetric key with each public key of the at least two other members of the group to produce a plurality of JavaScript Object Notation Web Encryption (JWE) encrypted keys.
This invention relates to secure group key distribution in cryptographic systems, addressing the challenge of efficiently sharing encryption keys among multiple users while maintaining privacy and security. The apparatus includes a processor that generates a group key by first encrypting a symmetric key of a first user with a private content key, producing an encrypted symmetric key. The processor then encrypts this encrypted symmetric key with the public keys of at least two other group members, resulting in multiple JavaScript Object Notation Web Encryption (JWE) encrypted keys. This approach ensures that only authorized group members can decrypt the symmetric key, enabling secure communication within the group. The system leverages asymmetric encryption for key distribution, reducing the risk of unauthorized access while maintaining compatibility with web-based encryption standards. The apparatus may also include a memory for storing keys and encrypted data, and a network interface for transmitting encrypted keys to group members. This method enhances security in group communications by combining symmetric and asymmetric encryption techniques, ensuring that only intended recipients can access the shared symmetric key.
14. The apparatus of claim 12 , wherein each data block comprises a JavaScript Object Notation (JSON).
This invention relates to data processing systems that handle structured data, particularly in distributed or cloud-based environments. The problem addressed is the efficient storage, retrieval, and processing of data blocks in a way that ensures compatibility, scalability, and ease of integration with modern web-based applications. The apparatus includes a data storage system where each data block is formatted as a JavaScript Object Notation (JSON) object. JSON is a lightweight, text-based data interchange format that is widely used for representing structured data in web applications due to its human-readable and machine-parsable nature. By storing data in JSON format, the system ensures seamless interoperability with web services, APIs, and client-side applications that rely on JSON for data exchange. The apparatus may also include mechanisms for indexing, querying, and transforming JSON data blocks to optimize performance and reduce latency in distributed environments. Additionally, the system may support schema validation, encryption, and compression of JSON data to enhance security and storage efficiency. The use of JSON format simplifies data serialization and deserialization processes, reducing the computational overhead associated with data processing tasks. This approach is particularly beneficial in scenarios where data needs to be frequently accessed, modified, and transmitted between different systems or components.
15. The apparatus of claim 14 , wherein a group membership update operation is indicated in the object with a field containing a tag indicating an add operation or a remove operation, and a URI of an entity being added to the group or removed from the group.
This invention relates to systems for managing group membership in distributed computing environments. The problem addressed is the need for efficient and reliable mechanisms to update group memberships, particularly in scenarios where multiple entities need to be dynamically added or removed from a group. Traditional methods often lack clarity or require complex protocols, leading to inefficiencies or errors in group synchronization. The apparatus includes a data object that stores group membership information. A key feature is the inclusion of a field within the object that explicitly indicates a group membership update operation. This field contains a tag that specifies whether the operation is an add or remove action, along with a Uniform Resource Identifier (URI) of the entity being added to or removed from the group. This structured approach ensures that updates are unambiguous and easily interpretable by systems processing the object. The apparatus may also include mechanisms to validate the URI and ensure the operation is authorized, enhancing security and reliability. By embedding the operation type and target entity directly in the object, the system avoids the need for separate control messages or complex protocols, simplifying group management while maintaining accuracy. This solution is particularly useful in distributed systems where group membership changes frequently and must be propagated efficiently across nodes.
16. A system to enable confidential communication among users who are members of a group, the system comprising: a first device associated with a first user who is a member of the group; a second device associated with a second user who is a member of the group; wherein the first device is configured to: generate a first data block for an ordered list of data blocks representing a chronological account of group member updates to the group, the first data block including a timestamp of creation of the first data block, identity information of the first user, information specifying addition of at least a second user to be a member to the group, and information pointing to a location of encrypted content to be shared among members of the group, the encrypted content having been encrypted with a symmetric key of the first user, wherein each data block comprises an object signed with a private key at the device of the user that created the data block and includes attributes representing: a Uniform Resource Indicator (URI) of the user that created the data block, an array of group membership update operations, a timestamp for creation of the data block, and a hash of a preceding data block in the ordered list; generate a group key that includes a hash of the first data block; encrypt a key material portion of the group key using a multi-recipient encryption process that indicates at least the second user as a recipient; communicate the ordered list and the group key to a communication resource to which a device of the second user has access; and send to the device of the second user the information pointing to the location of the encrypted content, and information pointing to the ordered list and the group key.
This system enables secure, confidential communication among members of a group by managing encrypted content and group membership updates through a distributed ledger-like structure. The system addresses the challenge of maintaining privacy and integrity in group communications while allowing dynamic membership changes. Each user device generates data blocks that form an ordered, chronological list representing group updates. These blocks contain timestamps, user identity information, group membership changes, and pointers to encrypted content. The content is encrypted using a user's symmetric key, ensuring only authorized members can access it. Each data block is cryptographically signed with the creator's private key and includes attributes such as the user's URI, membership operations, creation timestamp, and a hash of the preceding block, ensuring tamper-proof integrity. A group key is derived from a hash of the first data block and partially encrypted using multi-recipient encryption to share it securely with new members. The system communicates the ordered list and group key to a shared resource accessible by group members, while also providing pointers to the encrypted content and the list. This approach ensures that only authorized users can decrypt and access shared content while maintaining an auditable record of group changes.
17. The system of claim 16 , wherein the second device is configured to: generate a second data block to be appended to the order list, the second data block including a timestamp of creation of the second data block, a hash of the first data block in the ordered list, and information indicating additional of at least a third user as a new member to the group and/or information indicating removal of at least one user who is an existing member of the group; and send the second data block to a third device of the third user.
This invention relates to a distributed system for managing group membership in a decentralized manner, particularly for maintaining an immutable and verifiable record of changes to group composition. The system addresses the challenge of securely and transparently tracking additions and removals of users in a group without relying on a central authority, ensuring trust and accountability among participants. The system includes multiple devices, each associated with a user in the group. A first device generates a first data block containing a timestamp, a hash of a previous data block (if any), and information about the group's current state. This block is appended to an ordered list (e.g., a blockchain-like structure) to establish a verifiable record. A second device, upon receiving the first data block, generates a second data block that includes a timestamp, a hash of the first data block, and metadata indicating the addition of at least one new user (a third user) or the removal of an existing user. This second data block is then sent to the third user's device, ensuring the new member can verify the group's history and current state. The system ensures that all changes to group membership are cryptographically linked, preventing unauthorized modifications and providing a tamper-evident log of all updates. This approach is useful in applications requiring decentralized governance, such as blockchain-based organizations or secure collaborative platforms.
18. The system of claim 17 , wherein the third device is configured to validate the ordered list by: verifying signatures of each data block in the ordered list; verifying that each data block contains a valid hash of a preceding data block in the ordered list; and verifying that each data block in the ordered list was created and signed by a member of the group.
19. The system of claim 16 , wherein each data block comprises a JavaScript Object Notation (JSON) object.
A system for managing and processing data blocks in a distributed computing environment addresses the challenge of efficiently storing, transmitting, and retrieving structured data across multiple nodes. The system organizes data into discrete blocks, each containing a self-contained unit of information, to facilitate scalable and fault-tolerant operations. Each data block is formatted as a JavaScript Object Notation (JSON) object, enabling standardized, human-readable, and machine-parsable data representation. JSON objects within the data blocks support nested structures, key-value pairs, and various data types, allowing flexible and extensible data modeling. The system leverages JSON's interoperability to ensure seamless integration with diverse applications, APIs, and programming languages. By using JSON objects, the system enhances data portability, simplifies serialization and deserialization processes, and reduces parsing complexity. The structured format also supports metadata inclusion, enabling efficient indexing, querying, and validation of data blocks. This approach improves data consistency, reduces transmission overhead, and accelerates processing in distributed systems. The system may further include mechanisms for encrypting, compressing, or signing JSON objects to ensure security and integrity during transmission and storage. The use of JSON objects in data blocks enables efficient handling of structured data in distributed environments, improving scalability, reliability, and interoperability.
20. The system of claim 16 , wherein the device of the second user is configured to: receive the information pointing to the location of the encrypted content, the ordered list and the group key; determine that the first user is trusted based on the identity information of the first user; if it is determined that the first user is trusted, retrieve the ordered list and the group key using the information pointing to the ordered list and the group key; and verify signatures of the first data block and the group key by discovering and retrieving a public key of the first user.
This invention relates to secure content sharing systems where encrypted content is distributed among users in a group. The problem addressed is ensuring that only trusted users can access and verify the integrity of shared encrypted content. The system involves a first user encrypting content and generating a group key, then distributing information about the encrypted content, an ordered list of data blocks, and the group key to a second user. The second user's device is configured to receive this information, verify the trustworthiness of the first user based on their identity information, and if trusted, retrieve the ordered list and group key. The device then verifies the integrity of the first data block and the group key by obtaining the first user's public key and checking their digital signatures. This ensures that the content and key are authentic and have not been tampered with. The system enhances security in group-based content sharing by combining trust verification with cryptographic validation.
Unknown
January 16, 2018
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.